CVE-2024-50707
Published: 04 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-50707 is an unauthenticated remote code execution vulnerability in Uniguest Tripleplay versions before 24.2.1. It enables remote attackers to execute arbitrary code by sending an HTTP GET request with a specially crafted X-Forwarded-For header. Classified under CWE-94 (Code Injection), the flaw carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critical due to its network accessibility, lack of prerequisites, and severe impacts.
Any remote attacker can exploit this vulnerability without authentication or user interaction, simply by reaching the affected HTTP endpoint over the network. Successful exploitation allows arbitrary code execution, compromising confidentiality, integrity, and availability with a changed scope that extends beyond the vulnerable component.
Vendor advisories provide further details on mitigation, available at https://uniguest.com/cve-bulletins/ and in the CVE-2024-50707 Vulnerability Summary PDF at https://uniguest.com/wp-content/uploads/2025/02/CVE-2024-50707-Vulnerability-Summary.pdf.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes an unauthenticated RCE vulnerability in a public-facing web application (via crafted HTTP header), directly enabling initial access through exploitation of public-facing applications.